FSMO Roles

Flexible single master operation (FMSO) is an Active Directory feature. For networks to function properly in an active directory environment, certain roles must be assigned to the Domain Controllers (DC). Such roles are called FMSO roles and the DCs responsible for performing these roles are called FSMO role holders. FMSO roles include three domain specific and two forest specific roles. Domain specific roles include:

• Relative Identifier Master (RID Master): ensures that every Active Directory object receives a unique SID (security identifier). The SID for a new object is made from domain SID and a RID (relative identifier). When a new object is created within a domain, the respective DC (on which the object is made) takes one of its RID and assigns it to the new object. RID master failure leads to the inability to create new objects.
• Primary Domain Controller Emulator (PDC Emulator): this FMSO role allows Windows server to act as a primary domain controller in domains containing domain controllers running Windows NT. In addition, PDC provides assistance in time and group policy synchronization. PDC role was primarily created to enable the active directory domain controllers to co-exist with Windows NT domain controllers. Because of the shift from Windows NT to active directory environment, PDC emulator role has lost its significance.
• Infrastructure Master: this role updates an object’s security identifier and ensures that cross domain references are handled correctly. If infrastructure master fails, then changes to a domain are not visible when viewed from other domains in a forest.

Forest level roles include:

• Schema Master: this role is responsible for maintaining and modifying the active directory schema of the forest. This determines the types of objects allowed in the forest. Failure of the schema master affects the network administrator’s ability to modify the schema. No updates to the active directory is possible.
• Domain Naming Master: domain naming maintains the list of domains included in a forest and allows addition & deletion of domain names from the forest. If domain naming master fails, it is impossible to create or delete domains until the system comes back online.

To function properly, active directory requires that the domain has at least one domain controller and has access to the domain name system (DNS) services. The first domain controller to be brought online in an active directory based network is always assigned to act as the DNS server of the network. All the five FSMO roles are also given to the same domain controller. Regardless of the number of domains in a forest, the forest level FSMO roles are hosted on a single domain controller. FSMO role failures do not pose an immediate significant consequence to the active directory network. However, persistent existence of the problem can lead to network errors. For this, one must:

• Be aware of the signs of a FSMO role failure.
• Know the way to determine which server is responsible for each FSMO. The simplest way to determine this is to install Support Tools from the source (e.g. product CD) and type “netdom query fsmo” on the command prompt to see the controller of the FSMO roles.